b'FEDERAL COMMUNICATIONS\n      COMMISSION\n  OFFICE OF INSPECTOR GENERAL\n\n\n\n\n    Report on Audit of Computer Controls\n      at the FCC National Call Center\n\n        Audit Report No. 00-AUD-01-12\n                 June 21, 2000\n\n\n\n                                      H. Walker Feaster III\n                                        Inspector General\n\n\n\n                                       Thomas D. Bennett\n                              Assistant Inspector General for Audits\n\x0c             Report on Audit of Computer Controls at the FCC National Call Center\n\n                                                   Table of Contents\n\n                                                                                                                         Page\nEXECUTIVE SUMMARY ............................................................................................               1\n\n\n                                       AUDIT OBJECTIVES                               4\n\nAUDIT SCOPE...............................................................................................................   4\n\n\nBACKGROUND ............................................................................................................      6\n\n\nAUDIT FINDINGS ........................................................................................................      7\n\n\nAPPENDIX A - Detailed Findings and Recommendations\n\n\nAPPENDIX B - Audit Criteria\n\x0cEXECUTIVE SUMMARY\n\nOn October 21, 1996, the Federal Communications Commission (FCC) opened the\nNational Call Center (NCC) at a Commission facility located in Gettysburg,\nPennsylvania. The Commission news release announcing the opening reported that the\nCall Center \xe2\x80\x9cprovides simple, one stop shopping for information about FCC rules and\npolicies.\xe2\x80\x9d Since its introduction in 1996, the Call Center has seen a tremendous increase\nin the volume of activity and the degree to which automated tools are used to respond to\ncustomer inquiries. Initially, NCC consumer and information affairs specialists\nresponded to customer inquiries and average monthly traffic was less than twenty\nthousand (20,000) calls. By March 1999, average monthly traffic (responses to customer\ninquiries) was exceeding sixty thousand (60,000) with monthly traffic occasionally\nexceeding eighty thousand (80,000) calls. In Fiscal Year (FY) 1998, the Commission\nreported that the Call Center responded to 1,070,448 calls. During the period that\nfieldwork was being performed on this audit, management control of the NCC was taken\naway from the now-defunct Compliance and Information Bureau and given to the newly\ncreated Consumer Information Bureau (CIB), and the NCC was renamed the Consumer\nCenter. For purposes of reporting the results of our audit, we refer to the Consumer\nCenter as the NCC or the \xe2\x80\x9ccall center.\xe2\x80\x9d\n\nThe ability of the Call Center to be responsive to customer inquiries and provide\naccurate, timely information is heavily reliant on automated systems. The objective of\nthis audit was to examine the Call Center\xe2\x80\x99s automated computer system and the\nenvironment in which it operates, to ensure that adequate security safeguards exist to\nprotect NCC data. To conduct this review, the OIG established a task order under our\ncontract with the computer security firm of TWM Associates, Inc. (hereafter referred to\nas \xe2\x80\x9cTWM\xe2\x80\x9d) to conduct an assessment of the current security posture of general computer\ncontrols utilized throughout the Call Center. TWM performed the audit of Call Center\ngeneral computer controls in accordance with the General Accounting Office (GAO)\nFederal Information Systems Controls Audit Manual (FISCAM). The security\nrequirements used as the basis of this audit were derived from Federal regulations and\nFCC policy. These regulations and policies included:\n\n   \xe2\x80\xa2   Office of Management and Budget (OMB) Circular A-130, \xe2\x80\x9cManagement of\n       Federal Information Resources\xe2\x80\x9d, dated February 8, 1996.\n\n   \xe2\x80\xa2   FCC Instruction (FCCINST) 1479.1, entitled \xe2\x80\x9cFCC Computer Security Program\xe2\x80\x9d,\n       dated November 30, 1995.\n\n   \xe2\x80\xa2   18 USC \xc2\xa71030 Computer Fraud and Abuse Act\n\nThe audit was conducted in two phases. The objective of the survey phase was to\nidentify previous audits and existing design, implementation, and operational documents\nthat describe the business processes, organizations, and security policies associated with\nthe NCC. The objective of the verification phase was to verify the security posture of the\nNCC in the areas of Security Program Planning and Management, Access Controls,\n\n\n                                            1\n\x0cApplication Software Development and Change Controls, System Software, Segregation\nof Duties, and Service Continuity.\n\nThe audit team noted that significant technical control and internal control improvements\ncould be made to improve the overall security posture of the NCC. Many of the\nprocedures performed and the resulting findings focus on plans, policies, and procedures\nin place to ensure that NCC systems are administered in a secure manner. The\ntechnology-based findings focus on the secure implementation and deployment of\ntechnology within the NCC systems. The combination of plans, policies, procedures and\nproperly implemented technical controls are inextricably linked. The plans, policies, and\nprocedures provide guidance to ensure that the technology utilized in the system provides\na minimum threshold of security, while the technology controls implementation itself\nensures that the security goals and objectives put forth by management are achieved.\n\nBased on the audit procedures performed and the findings identified by the audit, NCC\nsystems\xe2\x80\x99 general computer controls as implemented are not sufficient to meet minimum\nsecurity requirements. Specifically, this audit uncovered one hundred three (103)\nfindings, thirteen (13) of which were classified with a high level of risk, fifty-two (52)\nwith a medium level of risk, and thirty-eight (38) with a low level of risk1. Several of\nthese findings are associated with key control areas. For example, access controls (to\ninclude system access and physical security of the computer facilities) represented sixty-\nnine (69) of the one-hundred three (103) findings. Nine (9) of the access control findings\nwere high risk, forty (40) were medium risk, and twenty (20) were low risk. The extent\nand interrelationship of these findings indicate an inadequate security posture.\n\nA summary of the audit findings is included in the section of this report entitled \xe2\x80\x9cAudit\nFindings\xe2\x80\x9d. Detailed audit findings are included in Appendix A of the report entitled\n\xe2\x80\x9cDetailed Findings and Recommendations.\xe2\x80\x9d Because of the sensitive nature of the\ndetailed findings, Appendix A is watermarked \xe2\x80\x9cSensitive\xe2\x80\x9d and distribution of Appendix\nA will be limited to those persons with a need for the information. In addition, Appendix\nB includes the relevant sections of FCC Instruction 1479.1, Computer Security Program\nDirective, Office and Management and Budget (OMB) Circular A-130, Management of\nFederal Information Resources, and Title 18 USC Section 1030, Computer Fraud and\nAbuse Act. These documents provided the criteria by which we assessed the adequacy of\nthe Call Center\xe2\x80\x99s general controls.\n\nOn March 31, 2000, we provided a draft report to CIB summarizing the results of our\nreview and requesting their comments on the reported findings. We received a response\nfrom the Bureau Chief on May 31, 2000 and additional information from the CIB System\nSecurity Office (CIB-SSO) on June 13, 2000. The Bureau concurred with all of the\n\n1      Each finding was evaluated to determine its degree of exposure. A high risk rating is defined as a\n       security risk extreme enough to cause on-going operational concerns in the event of an occurrence.\n       A medium risk rating is defined as a security risk to cause moderate on-going operational\n       annoyances, but it would not cause a business disruption in the event of an occurrence. A low\n       risk rating is defined as a security risk to cause minimal on-going operational efficiency issues,\n       but it would not cause a business disruption in the event of an occurrence; and/or an event that\n       may disrupt operations but the likelihood of an occurrence to that extent is remote.\n\n\n                                                  2\n\x0creported findings and is currently developing corrective action plans to address the\nfindings. We have incorporated CIB comments into the detailed findings portion of the\nreport contained in Appendix A. We will monitor the development of these action plans\nand will perform a follow-up audit to assess the effectiveness of the corrective actions in\naddressing the deficiencies.\n\n\n\n\n                                             3\n\x0cAUDIT OBJECTIVES\n\nThe objective of this audit was to examine the NCC\xe2\x80\x99s automated computer system and\nthe environment in which it operates, to ensure that adequate security safeguards exist to\nprotect NCC data. Specifically, the audit assessed the general computer controls in the\nareas of:\n\n       \xe2\x80\xa2   Security Program Planning and Management;\n\n       \xe2\x80\xa2   Access Controls;\n\n       \xe2\x80\xa2   Application Software Development and Change Controls;\n\n       \xe2\x80\xa2   System software;\n\n       \xe2\x80\xa2   Segregation of Duties; and\n\n       \xe2\x80\xa2   Service Continuity.\n\nAUDIT SCOPE\n\nThe audit was conducted in accordance with generally accepted auditing standards and\nGovernment Auditing Standards issued by the Comptroller General of the United States.\nFurther, the audit reviewed NCC security characteristics to determine whether they are in\naccordance with federal regulation maintained in Office of Management and Budget\n(OMB) Circular A-130, following the general controls procedures outlined in the Federal\nInformation Systems Controls Audit Manual (FISCAM) proscribed by the General\nAccounting Office (GAO).\n\nDuring the period that fieldwork was being performed in this review, management\ncontrol of the NCC was taken from the now defunct Compliance and Information Bureau\nand given to the newly created Consumer Information Bureau, and the NCC was renamed\nthe Consumer Center. The scope of our audit did not include an assessment of the\nchanges resulting from the reorganization or the effect the reorganization may have on\nthe IT controls governing the Call Center. In any event, the findings indicate significant\nsecurity concerns in the NCC computer controls environment which should be addressed\nby the new organization.\n\nTo perform this review, we established an audit team of OIG and TWM personnel. The\nteam employed a comprehensive set of procedures to review the general controls\ncurrently employed by the NCC site. During the first phase of the audit, the audit team\nsurveyed information on FCC policies, previous OIG or other regulatory audit reports\nand methodologies, and design, implementation and operational audit documents\ncovering the NCC. As part of this effort the NCC OIG audit team focus was on the NCC\n\n\n\n                                             4\n\x0ctopology (high level) and network schematic (low level) of NCC connectivity, to include\nidentification of hardware, routers, and software components.\n\nBased on our analysis of the information gathered during the survey phase, the audit team\ndesigned the steps to be performed during the verification phase of the audit. The\nobjective of the verification phase was to verify the security posture of the NCC in the\nareas of Security Program Planning and Management, Access Controls, Application\nSoftware Development and Change Controls, System Software, Segregation of Duties,\nand Service Continuity.\n\nThe audit team performed specific general controls procedures for each of the following\nareas of the FISCAM:\n\n   \xe2\x80\xa2   Assessed the framework and continuing cycle of activity for risk management,\n       development of security policies, and assignment of responsibilities for\n       monitoring the adequacy of the NCC controls;\n\n   \xe2\x80\xa2   Assessed the controls that limit or detect access to computer resources: data,\n       programs, equipment, and facilities; examined the Call Center\xe2\x80\x99s automated\n       computer systems by reviewing the NCC network architecture for security\n       vulnerabilities, and determined whether security controls and features have been\n       incorporated into the NCC network architecture;\n\n   \xe2\x80\xa2   Assessed the controls for software development and change control;\n\n   \xe2\x80\xa2   Assessed the controls for the prevention of development and/or modification of\n       unauthorized program changes;\n\n   \xe2\x80\xa2   Assessed the segregation of duties through review of policies, procedures, and\n       organizational structure; and\n\n   \xe2\x80\xa2   Assessed controls to ensure continued operations without interruption.\n\nThe FISCAM procedures were completed through a combination of manual and\nautomated procedures. Manual procedures consisted of interviews, review of documents,\nreview of security settings measured against vendor recommended settings and good\nbusiness practices, and review of processes performed. Automated procedures consisted\nof the use of proprietary platform security review software tools and commercially\navailable scanning tools.\n\nIn addition to the FISCAM audit procedures, the security requirements used as the basis\nof this audit were derived from Federal regulations and FCC policy. These regulations\nand policies included:\n\n   \xe2\x80\xa2   Office of Management and Budget (OMB) Circular A-130, \xe2\x80\x9cManagement of\n       Federal Information Resources\xe2\x80\x9d, dated February 8, 1996.\n\n\n                                           5\n\x0c   \xe2\x80\xa2   FCC Instruction (FCCINST) 1479.1, entitled \xe2\x80\x9cFCC Computer Security Program\xe2\x80\x9d,\n       dated November 30, 1995.\n\n   \xe2\x80\xa2   18 USC \xc2\xa71030 Computer Fraud and Abuse Act.\n\nThe sections of these regulations and policies that were relevant to this audit are included\nin Appendix B.\n\nThe audit took place from October 1999 through January 2000 and was conducted\nprimarily at the FCC NCC site located at 1270 Fairfield Road in Gettysburg,\nPennsylvania.\n\nBACKGROUND\n\nOn October 21, 1996, the FCC opened the Call Center at a Commission facility located in\nGettysburg, Pennsylvania. The Commission news release announcing the opening\nreported that the Call Center \xe2\x80\x9cprovides simple, one stop shopping for information about\nFCC rules and policies.\xe2\x80\x9d Since its introduction in 1996, the Call Center has seen a\ntremendous increase in the volume of activity and the degree to which automated tools\nare used to respond to customer inquiries. Initially, NCC consumer and information\naffairs specialists responded to customer inquiries and average monthly traffic was less\nthan twenty thousand (20,000) calls. By March 1999, average monthly traffic (responses\nto customer inquiries) was exceeding sixty thousand (60,000) with monthly traffic\noccasionally exceeding eighty thousand (80,000) calls. In Fiscal Year (FY) 1998, the\nCommission reported that the Call Center responded to 1,070,448 calls. During the\nperiod that fieldwork was being performed on this audit, management control of the NCC\nwas taken away from the now-defunct Compliance and Information Bureau and given to\nthe newly created Consumer Information Bureau (CIB), and the NCC was renamed the\nConsumer Center. For purposes of reporting the results of our audit, we refer to the\nConsumer Center as the NCC or the \xe2\x80\x9ccall center.\xe2\x80\x9d\n\nThe ability of the Call Center to be responsive to customer inquiries and provide\naccurate, timely information is heavily reliant on automated systems. The NCC mission\nis supported by three (3) primary information systems. These systems, the Automatic\nCall Director system, the Integrated Voice Response System (IVRS), and the Expert\nAdvisor system, support all aspects of Call Center operations. Two (2) of the information\nsystems address Call Center workload management and call distribution requirements.\nThe Automatic Call Director system takes incoming calls and distributes calls among the\nconsumer and information affairs specialists and the Integrated Voice Response System\n(IVRS), added in 1998, enhances Call Center traffic management. The third system, the\nExpert Advisor System, support Call Center requirements for providing timely and\naccurate information to customers on a wide range of topics.\n\nThe NCC site consists of three (3) networks separated by infrastructure components.\nThere is an inside network consisting of the main portion of the NCC application servers.\n\n\n                                             6\n\x0cIn addition, there is a dial-in network that is connected to the inside network by a CISCO\n7507 router. The Dial-In network then connects to the telephone company circuit\nnetwork. The Auctions site employs a Demilitarized Zone (DMZ) connected to the\nInternet through a CISCO PIX firewall. The DMZ is connected to the inside network\nthrough a combination of three (3) firewalls. The NCC network is connected through the\nAuction site router to the inside network, and thus receives additional protection from the\nDMZ and the three (3) firewalls. The NCC relies upon the Commission\xe2\x80\x99s Information\nTechnology Center (ITC) for Intrusion Detection through an outsource agreement with\nBell Atlantic. Bell Atlantic provides reports regularly and on demand for intrusion events\nsuch as port scans, patterns of known attacks, repetitive access denials and other signs of\npossible automated or manual attacks.\n\nAUDIT FINDINGS\n\nThis audit was performed to assess the Call Center\xe2\x80\x99s general computer controls for their\ninformation technology environment, ensuring that the systems are adequately secured.\nThe audit includes recommendations to mitigate the possibility of the system being\ncompromised. The audit recognized both strengths and weaknesses of the technical and\nprocedural internal controls currently employed. The Call Center has implemented\ncontrols with their limited resources in some areas, but the overall security posture can be\nimproved. The implementation of the technical control recommendations should result in\nthe most immediate improvement of the NCC security posture. Further, the achievement\nof a proper segregation of duties and implementation of adequate technical training\nshould also assist in achieving the minimum security requirements contained in the OMB\nCircular A-130 and FISCAM guidance.\n\nBased on the procedures performed in accordance with FISCAM guidance, we have\nconcluded that there is insufficient implementation of general computer controls. While\nthe NCC gains some general computer controls implementation from the overall FCC\ninfrastructure, sufficient general controls do not exist at the NCC level to ensure\nprotection of NCC resources.\n\nThe audit team noted that significant technical control and internal control improvements\ncould be made to improve the overall security posture of the NCC. Many of the\nprocedures performed and the resulting findings focus on plans, policies, and procedures\nin place to ensure that NCC systems are administered in a secure manner. The\ntechnology-based findings focus on the secure implementation and deployment of\ntechnology within the NCC systems. The combination of plans, policies, procedures and\nproperly implemented technical controls are inextricably linked. The plans, policies, and\nprocedures provide guidance to ensure that the technology utilized in the system provides\na minimum threshold of security, while the technology controls implementation itself\nensures that the security goals and objectives put forth by management are achieved.\n\nThis audit uncovered one hundred three (103) findings, thirteen (13) of which were\nclassified with a high level of risk, fifty-two (52) with a medium level of risk, and thirty-\neight (38) with a low level of risk. Several of these findings can be identified with key\n\n\n\n                                              7\n\x0ccontrol areas. For example, access controls (to include system access and physical\nsecurity of the computer facilities) represented sixty-nine (69) of the findings, nine (9) of\nwhich were high risk, forty (40) were medium risk, and twenty (20) were low risk. A less\nextensive example is in the area of network controls, which includes overall risk\nmanagement and system software controls. Our audit disclosed 14 findings related to\nnetwork controls, of which one (1) finding was high risk, ten (10) were medium risk, and\nthree (3) were low risk. Each of these findings taken individually may or may not\nrepresent a significant security risk, however, the number of findings taken together\nrepresents insufficient network controls are in place. The extent and interrelationship of\nthese findings indicate an inadequate security posture.\n\nBased on the procedures performed and the extent of the resultant findings, NCC\nsystems\xe2\x80\x99 implemented general controls are not sufficient to meet the minimum security\nrequirements as tested with the FISCAM procedures. However, implementation of the\naudit recommendations can bring the NCC systems\xe2\x80\x99 security posture in line with\nFISCAM and OMB Circular A-130 security requirements.\n\nWe provided a draft report to the Consumer Information Bureau (CIB) on March 31,\n2000 and requested their comments on the findings. We received a response from the\nBureau Chief on May 31, 2000 and additional information from the CIB System Security\nOffice (CIB-SSO) on June 13, 2000. The Bureau concurs with all of the observations\nbeing reported and is currently developing corrective action plans to address the findings.\nThe corrective action plans are being coordinated with all Bureaus/Offices that are\nimpacted by the findings, to include:\n\n               \xe2\x80\xa2   The Information Technology Center Applications Integration Group\n                   (ITC-AIG);\n               \xe2\x80\xa2   The Wireless Telecommunications Bureau (WTB);\n               \xe2\x80\xa2   The CIB Assistant Bureau Chief of Management (CIB-ABCM); and\n               \xe2\x80\xa2   The Information Technology Center Network Development Group\n                   (ITC-NDG).\n\nOIG will monitor the development of these action plans and will perform a follow-up\naudit to assess the effectiveness of the corrective actions in addressing the deficiencies.\n\n\n\n\n                                              8\n\x0c                                        APPENDIX A\n\n\n\n\nDetailed Findings and Recommendations\n\x0cOVERVIEW\n\nThe General Accounting Office (GAO) Federal Information System Controls Audit\nManual (FISCAM) is primarily designed for evaluations of general and application\ncontrols over financial information systems that support agency business operations.\nHowever, it is also used in evaluating the general and application controls over agency\nprogram information systems, as called for in the Government Auditing Standards issued\nby the Comptroller General.\n\nThe FISCAM areas reviewed in this audit and further discussion of the audit procedures\nperformed to evaluate the FISCAM objectives are as follows:\n\n1.     Security Programming and Management\n\nSecurity programming and management controls govern procedures for developing and\nupdating risk management plans, developing security policies, assigning responsibilities,\nand monitoring the adequacy of computer-related controls. To evaluate the security\nprogramming and management controls, the audit team interviewed individuals regarding\nsecurity policies, hiring, termination and transfer policies, and training. In addition,\nemployee job descriptions and employee files were reviewed as part of these procedures.\n\nDuring our review of security programming and management controls, we identified\nfindings regarding controls over the establishment of formal policies and procedures,\nwhere policies and procedures existed, the need for updating policies, and procedures to\nreflect the current operating environment.\n\n2.     Access Controls\n\nAccess controls focus on the controls that limit or detect access to computer resources\n(both system access and physical security of computer facilities) to protect resources\nagainst unauthorized modification, loss, and disclosure. To evaluate the access controls,\nthe audit team analyzed the servers and network devices used in the NCC systems. The\nservers and devices include UNIX, Windows NT, and Novell system software, Sybase\ndatabase software, Definity Audix and PBX devices, and CISCO router security settings.\nIn addition, the Internet Protocol (IP) addresses linked to NCC were scanned to determine\nif unnecessary services were present. The audit team used the FISCAM as well as\nproprietary technology-specific review procedures that are based on vendor\nrecommendations and good business practices, automated security review software, and\ncommercially-available scanning tools. Additionally, the team assessed the physical\nsecurity of the facilities by reviewing physical security requirements observing the\nNCC\xe2\x80\x99s implementation of security measures.\n\nA significant number of our findings were due to the installation of system and database\nsoftware without changing default settings and a lack of consideration for the use of\nsystem audit capabilities. In addition, numerous weaknesses in physical security were\nidentified.\n\x0c3. Application Software Development and Change Controls\n\nApplication software development and change controls are designed to prevent\nunauthorized programs or modifications to an existing program from being implemented.\nThe scope of our review of application software development and change controls\nincluded reviewing the informal program change controls.\n\nOur audit found that, while informal program change control procedures could be\nidentified for one of the NCC applications (Expert Advisor), the procedures are not\nformally documented and program change tracking is manual, and thus subject to error or\nuntimely updates. The other applications were even less formal in the program change\ncontrol process.\n\n4. System Software\n\nSystem software controls focus on the controls that limit and monitor access to the\nsystem software programs and sensitive files that control the NCC\xe2\x80\x99s computer hardware\nand secure applications supported by the system. To evaluate system software controls,\nwe reviewed the development, testing, and implementation of system software such as\nversion updates for UNIX, Windows NT, Sybase, Novell, and CISCO router software.\nThe audit team also requested documentation for evidence of up-to-date policies and\nprocedures for monitoring system utilities, controlling system changes, and monitoring\nprogrammers\xe2\x80\x99 activities.\n\nOur audit of system software controls disclosed that, while procedures may be used in the\ndevelopment, testing, and implementation of system software changes, formal procedures\nand support for system software changes specific to NCC could not be provided during\nthe course of this audit. Our recommendations in this control area include suggestions\nfor establishing and improving current policies and procedures, in addition to technology-\nspecific improvements.\n\n5. Segregation of Duties\n\nSegregation of duties relates to controls that ensure that no one individual could control\nkey aspects of FCC\'s computer-related operations and thereby conduct unauthorized\noperations or gain unauthorized access to records or assets. Our review of segregation of\nduties included an examination of the policies, procedures and organizational structure of\nthe NCC. We also requested documentation describing employee responsibilities, duties,\nand formal job descriptions, and interviewed personnel and reviewed documentation\ndescribing job rotation, vacation, staff monitoring, and manager reviews. Personnel\nrecords were also reviewed.\n\nOur audit identified a lack of documented policies and the need for further segregation of\nduties among operational functions, program development functions, and system\nadministration functions.\n\x0c6.     Service Continuity\n\nService continuity controls are designed to ensure that service continuity is maintained\nwhen unexpected events occur; that is, critical operations continue without interruption or\nare promptly resumed, and critical and sensitive data are protected. A physical security\naudit was also performed for the NCC facility and surrounding area. During our\nevaluation of service continuity practices, we requested documentation of contingency\nand disaster recovery plans and the results of testing those plans.\n\nFormal contingency and disaster recovery plans for NCC were not provided during the\ncourse of the audit. While written documentation did exist for one of the applications\n(Expert Advisor), formal plans did not exist for other applications or for\ntelecommunications and infrastructure processes. In addition, no testing of contingency\nor disaster recovery plans had been performed.\n\nDETAILED FINDINGS AND RECOMMENDATIONS\n\nThe audit uncovered 103 findings encompassing all FISCAM review areas. As part of\nthe review, the audit team evaluated each finding to determine its degree of exposure\nbased on the following exposure ratings:\n\n         High: The security risk is extreme enough to cause on-going operational\n         concerns in the event of an occurrence.\n\n         Medium: The security risk is moderate to cause on-going operational\n         annoyances, but would not cause a business disruption in the event of an\n         occurrence.\n\n         Low: The security risk is minimal to cause on-going operational efficiency\n         issues, but would not cause a business disruption in the event of an occurrence;\n         and/or an event that may disrupt operations but the likelihood of an occurrence\n         to that extent is remote.\n\nUsing these exposure ratings, the breakdown of findings is as follows:\n\n                     Exposure Rating              Number of Findings\n                          High                          13\n                          Medium                        52\n                          Low                           38\n                          Total                        103\n\nContained in the following pages are the detailed NCC findings and recommendations.\nThey are presented by order of the assigned High, Medium, or Low risk factors. The\nprimary criteria used for the findings was the FCC Directive, FCC INST 1479.1 which is\nthe FCC\xe2\x80\x99s implementation of OMB-A130, on which the FISCAM procedures are based.\n\x0c                 APPENDIX B\n\n\n\n\nAudit Criteria\n\x0cFCC Instruction 1479.1 Computer Security Program Directive,\ndated November 30, 1995\n\nThe purpose of FCC Instruction 1479.1 Computer Security Program Directive, dated\nNovember 30, 1995 is as follows:\n\nPurpose. This directive establishes policy and assigns responsibilities for assuring that\nthere are adequate levels of protection for all FCC computer systems (Personal\nComputers (PCs), Local Area Networks (LAN), the FCC Network, and applications and\ndatabases), and information created, stored, or processed, therein. This document\naddresses issues relating to all aspects of computer systems security, including issues\nconcerning day-to-day security safeguards, business continuity, system accessibility,\nsoftware licensing, and administrative precautions which can be taken by users of the\nFCC computer systems and those who manage them.\n\n\n\nSection 6.c.3 of FCC Instruction 1479.1 states:\n\n6. Responsibilities.\n\n   c. AMD-IM, Computer Security Officer\n\n       3.      Coordinate with Functional Managers and AMD-IM Network\n               Management Division staff to provide oversight on the process of\n               conducting risk analyses and security test and evaluations (ST&E), the\n               preparation of Continuity of Operations Plans (COOP) and security plans,\n               and the certification of sensitive FCC information systems;\n\n\n\nSection 6.d.1 of FCC Instruction 1479.1 states:\n\n   d. AMD-IM, Network Management Division\n\n        AMD-IM, Network Management Division (NMD) will assist with the\n   implementation of this directive and its policy and standards. The Computer Security\n   Officer will coordinate with NMD to assist FCC users in the development of\n   procedures that conform to this directive. Further, NMD shall develop and\n   implement appropriate administrative and technical procedures to conform with this\n   directive, and other related Federal regulations, and FCC directives and policies. To\n   support this effort, NMD shall:\n\n       1.      Coordinate with the Computer Security Officer to establish and maintain\n               procedures which will ensure the security and integrity of respective FCC\n               computer systems. Procedures should provide adequate safeguards for\n\x0c              processing and storing sensitive data and limiting access to systems,\n              therein;\n\n\n\nSection 6.d.6 of FCC Instruction 1479.1 states:\n\n\n       6.     Coordinate with the Computer Security Officer to provide oversight on the\n              development and testing of security plans and contingency plans, and\n              provide oversight on the conduct of risk analyses of FCC sensitive\n              systems;\n\n\n\nSection 6.e.1 of FCC Instruction 1479.1 states:\n\n   e. AMD-IM, Computer Applications Division\n\n   AMD-IM, Computer Applications Division (CAD) will assist with the\n   implementation of this directive and its policy and standards. The Computer Security\n   Officer will coordinate with CAD to assist FCC users in the development of\n   procedures relating to CAD functions that conform to this directive. To support this\n   effort, CAD shall:\n\n       1.     Provide FCC user assistance to develop application(s) and database\n              security and contingency plans, and as appropriate conduct application\n              risk analyses; and\n\n\n\nSection 6.h.1 of FCC Instruction 1479.1 states:\n\n\n   h. Security Operations Staff, AMD-O, Operations Management & Services Division\n      (Security Operations Staff)\n\n    The Security Operations Staff/Personnel Security Office are responsible for:\n\n       1.     Arranging background checks for FCC users in sensitive computer-related\n              positions as required by applicable regulations; and\n\x0cSection 6.k.5-6 of FCC Instruction 1479.1 states:\n\n   k. Authorized PC/LAN System Users.\n\n     An informed, educated, and alert user is a crucial factor in ensuring the security of\nFCC\'s computer systems and valuable information resources. To support this effort, users\nshall:\n\n       5.      Recognize the accountability for all activity taking place with the assigned\n               userID and associated account;\n\n       6.      Change computer system passwords every 180 days;\n\n\n\nSection 7.a of FCC Instruction 1479.1 states:\n\n7. System Access Controls.\n\n   a. User Identification and Authentication. User identification and authentication\n      occurs whenever a computer session is established. To support this process, each\n      user must use a unique userID/password. The following standards should be\n      followed by FCC users:\n\n       \xc2\x83    Each user must have a unique userID to access FCC computer systems. Under\n            normal circumstances, users should not share their userID or password with\n            anyone. In emergency situations where the user must provide the Help Desk\n            or their supervisor access to their account, the user should change the\n            password immediately upon the next login;\n\n       \xc2\x83    AMD-IM, Network Administrators should review audit logs to determine if\n            there have been repeated unsuccessful attempts to login to FCC computer\n            systems;\n\n       \xc2\x83    Training and maintenance userIDs should be administered through a secure\n            and documented process. These userIDs must be rendered inactive when not\n            being used for training or maintenance tasks;\n\n       \xc2\x83    In general, userIDs should not be permitted to initiate multiple concurrent\n            logins to access FCC computer systems. Exceptions are considered on a case-\n            by-case basis;\n\n       \xc2\x83    If using automatic login scripts for system access, the script must not contain\n            the user\'s login password;\n\x0c       \xc2\x83   Guest userIDs should be limited to remote printing capabilities for authorized\n           users with an authorized userID account on FCC computer systems; and\n\n       \xc2\x83   Guest userID access to FCC computer systems via remote dial-in must be\n           prohibited.\n\n\n\nSection 7.b of FCC Instruction 1479.1 states:\n\n   b. Password Controls. Passwords are an accepted method of authentication at the\n      FCC and play a vital role in securing access to any FCC computer system.\n      Passwords should be stored with one-way encryption, where only the user has the\n      ability to know the password. Users forgetting their password and requiring the\n      password to be reset should contact the Help Desk. The following are standards\n      on password use for access to FCC computer systems:\n\n       \xc2\x83   Users should select strong passwords (i.e., not the same or reverse as the\n           userID, not the users name or initials, not words easily found in a dictionary,\n           etc.);\n\n       \xc2\x83   Under all circumstances, a unique userID and password, only known by the\n           user, must be used to access FCC computer systems;\n\n       \xc2\x83   User should change passwords periodically, but at a minimum of every 180\n           days, as required by the system;\n\n       \xc2\x83   Use passwords with a minimum length of six characters (alpha/numeric\n           characters are preferred);\n\n       \xc2\x83   Users should not write passwords down, but should be easily remembered;\n\n       \xc2\x83   When a password has been, or is believed to have been compromised, a new\n           password should be established and the user should contact their supervisor or\n           COTR and the Help Desk; and\n\n       \xc2\x83   AMD-IM, Network Administrators should set the userID to be revoked if a\n           password attempt threshold of three failed login attempts is exceeded. When\n           the threshold is reached, the user must contact the Help Desk to have the\n           account reset.\n\x0cSection 7.c of FCC Instruction 1479.1 states:\n\n   c. Application/Data Base Controls. Controls should be implemented to assure the\n      integrity of FCC computer systems. These controls should make certain that\n      information and resources correctly reflect the expected and understood\n      configuration and composition of data, applications, and programs operating on\n      FCC computer systems.\n\n   \xc2\x83   FCC users should be restricted to only those resources required for the efficient\n       completion of their job responsibilities;\n\n   \xc2\x83   Access control software and/or network operating system security should be kept\n       current and controls limiting user access to sensitive data, applications, and\n       programs should be in place;\n\n   \xc2\x83   When technically possible, logs should be maintained to monitor system usage,\n       and used to establish accountability for changes to data and programs;\n\n   \xc2\x83   Ensure that software license agreements are adhered to, and as required, ensure\n       that appropriate software metering mechanisms are in place and used to monitor\n       software use;\n\n   \xc2\x83   Ensure that network applications installed on FCC system servers are designated\n       as execute-only or read-only, as necessary; and\n\n   \xc2\x83   Updates and changes to applications/databases should be thoroughly tested to\n       prevent unintentional access capabilities.\n\n\n\nSection 9 of FCC Instruction 1479.1 states:\n\n9. Awareness, Training, and Education. The Computer Security Act of 1987, P.L. 100-\n   235, was enacted to improve the security and privacy of sensitive information in\n   Federal computer systems. As one way of meeting that goal, the law requires that\n   "each agency shall provide for the mandatory periodic training in computer security\n   awareness and accepted computer practices of all employees who are involved with\n   the management, use, or operation of each federal computer system within or under\n   the supervision of that agency."\n\n\n\nSection 12.c of FCC Instruction 1479.1 states:\n\n12. Software Management. The use of software on FCC computers that is not properly\n    licensed is not permitted. In addition, software that you may have purchased must be\n\x0c   pre-authorized for installation on your local drive (C:). In addition, users are not\n   authorized to place software, that has been licensed for individual use, on any shared\n   drive.\n\n   c. Copying Software from FCC Computer Systems. Users of FCC computer\n      resources are not authorized to copy software from the system. Most software\n      installed on FCC computer systems is designated as execute-only or read-only, as\n      necessary. Users requiring a copy of the software loaded on FCC computer\n      systems for a remote PC should contact the Help Desk for assistance.\n\n\n\nSection 13 of FCC Instruction 1479.1 states:\n\n13. Computer Virus Prevention and Management.\n\n       \xe2\x80\xa2   Use an up-to-date, FCC approved anti-virus program. AMD-IM, NMD will\n           ensure that the most current version of the software selected for use at the\n           Commission is available for use. Users should scan computer drives and\n           check diskettes prior to use, including those received from other employees,\n           contractors, or outside sources.\n\n\n\nSection 14.a of FCC Instruction 1479.1 states:\n\n14. Physical Security and Computer Equipment Handling. The offices and work areas\n    where FCC computer systems are located must be physically secured when\n    unattended. Adequate controls should be employed consistent with the value,\n    exposure and sensitivity of the information and equipment that is to be protected.\n    Although the value of a computer can be significant, the value or importance of the\n    information, can be far greater. It is recommended that management establish controls\n    that include any or all of the following:\n\n   a. Area Access Controls. FCC users have a responsibility to create and maintain a\n      secure work environment, and to protect the computer assets used to fulfill\n      business activities. Access to offices and work areas, where FCC information, and\n      computer resources are located, should be controlled in a manner that permits\n      access only to authorized persons. In addition, it is strongly recommended that\n      each user activate the system provided Screen Saver and associated password on\n      their PC. The use of the Screen Saver with password will ensure that while the PC\n      is unattended, no one but the person knowing the password can gain access to the\n      system via the user\'s account.\n\x0c       The controls needed in FCC business areas depend upon the information\n       resources housed in the area and the level of exposure. Managers should\n       implement the following controls to protect information assets under their control:\n\n       \xc2\x83   Ensure that FCC users understand their responsibility for maintaining a secure\n           and safe work area. Furthermore, each individual should take reasonable\n           measures to assure the security and safekeeping of the computer systems and\n           information being used; and/or\n\n       \xc2\x83   Ensure that access to areas housing computer resources are controlled.\n           Persons authorized to access area should be FCC users, or visitor(s)\n           accompanied by FCC users.\n\n\n\nSection 14.b of FCC Instruction 1479.1 states:\n\n   b. Preventing Hardware Theft. Information and computer equipment must be\n      protected against theft. Loss of certain information, if not properly backed-up, can\n      require significant effort to recreate. Significant repercussions may ensue if the\n      lost information is subject to FOIA compliance. It is recommended that\n      Bureaus/Offices select and implement security controls that employ any or all of\n      the following measures:\n\n       \xc2\x83   Only authorized FCC users should have access to areas where computer\n           resources, processing sensitive or mission critical FCC information, are\n           housed. Authorization to controlled areas should be granted, and removed\n           when applicable, on a "need to access basis";\n\n       \xc2\x83   Work and storage areas housing computer resources should have locked\n           doors, cabinets, or desks, in use. When computer hardware storing sensitive or\n           mission critical information is not secured by a locked door, it should be\n           secured with equipment enclosures and/or lock-down devices. Accessory\n           equipment like modems and external disk drives should be secured in a\n           similar fashion;\n\n       \xc2\x83   Sensitive correspondence, reports and spreadsheets in hard-copy form or on\n           magnetic media should be stored in locked containers, desks or file cabinets;\n           and\n\n       \xc2\x83   FCC users should provide visual coverage of computer resources during\n           business hours if the resources are not in a lockable area.\n\x0cSection 14.f of FCC Instruction 1479.1 states:\n\n   f. Environmental Protection. PCs are sensitive to the quality of electrical power. As\n      a result, surge protectors should be used to regulate electrical current and absorb\n      abnormal electrical levels. Drinking and eating should be discouraged in the\n      immediate vicinity of PCs and related peripherals.\n\n       The Computer Room and hub rooms contain, in most cases, the highest\n       concentration of support equipment and information used at the FCC. Sufficient\n       suppression systems must be installed to mitigate the possibility of power spikes\n       for incoming power supplies. In addition, battery back-up via an uninterruptable\n       power supplies (UPS) or similar process must be installed to provide system(s)\n       server and peripherals support in the event of a power failure.\n\n\n\nSection 15.b of FCC Instruction 1479.1 states:\n\n15. Computer System Business Recovery.\n\n   b. Application and Data Back-Ups. To be usable, copies of electronic media must be\n      made accurately, regularly, and consistently. AMD-IM, NMD shall ensure that\n      adequate network back-ups are maintained, including files created using the\n      standard office automation software suite. Precautions should be made to ensure\n      that the type of media used does not become faulty over time using a periodic test\n      scenario. Functional Managers shall ensure that adequate back-ups are made of\n      applications/databases, and data within their control and which are stored on FCC\n      computer systems.\n\nThe off-site location should provide similar protection to environmental threats and\nphysical access, as do that of the Computer Room, and hub rooms.\n\n\n\nSection 16 of FCC Instruction 1479.1 states:\n\n16. Sensitive Data/Application Management. Oversight for computer data and associated\n    resources resides with the Bureau/Office requesting the purchase of the peripheral(s)\n    or development of the application and/or data. Bureau Chiefs and Office Directors\n    should assign ownership to an appropriate Functional Manager within a Division,\n    Branch, or any functional entity within that Bureau/Office. Management\n    responsibilities should not be construed as replacing or diluting the Computer\n    Security Officer\'s or AMD-IM\'s responsibilities for compliance with computer\n    security requirements.\n\n   Designated Functional Managers of FCC\'s computer system/applications should:\n\x0c       \xe2\x80\xa2   Acknowledge responsibility of resources and identify those containing or\n           processing sensitive data;\n\n       \xe2\x80\xa2   Coordinate with the Computer Security Officer to develop protection controls;\n\n       \xe2\x80\xa2   Authorize access to computer resources under their control;\n\n       \xe2\x80\xa2   Educate managers and users on control and protection requirements for\n           computer systems and information;\n\n       \xe2\x80\xa2   Monitor compliance with established security FCC directives, Federal\n           regulations and other applicable mandates, and periodically review control\n           processes; and\n\n       \xe2\x80\xa2   Ensure the conduct of risk analyses and the development of contingency\n           plans.\n\n\n\nSection 19 of FCC Instruction 1479.1 states:\n\n19. Destruction of Sensitive Data. The useful life of every computer document should\n    end with its destruction in a safe and secure manner. All forms of media (hard-copy,\n    magnetic, etc.) containing sensitive data require a safeguarded means of destruction.\n\n\n\nOMB Circular A-130 Management of Federal Information Resources,\nrevised February 8, 1996\n\nOMB Circular A-130, Section 5 states:\n\nThe Paperwork Reduction Act establishes a broad mandate for agencies to perform their\ninformation resources management activities in an efficient, effective, and economical\nmanner. To assist agencies in an integrated approach to information resources\nmanagement, the Act requires that the Director of OMB develop and implement uniform\nand consistent information resources management policies; oversee the development and\npromote the use of information management principles, standards, and guidelines;\nevaluate agency information resources management practices in order to determine their\nadequacy and efficiency; and determine compliance of such practices with the policies,\nprinciples, standards, and guidelines promulgated by the Director.\n\x0cOMB Circular A-130, Section 7.n states:\n\n      n.     Users of Federal information resources must have skills, knowledge, and\n             training to manage information resources, enabling the Federal government\n             to effectively serve the public through automated means.\n\n\n\nOMB Circular A-130, Section 8.a.d states:\n\n8. -- Policy:\n\na.    Information Management Policy\n\n                 4.    Records Management. Agencies shall:\n\n                             (d)      Provide training and guidance as appropriate to all agency\n                                      officials and employees and contractors regarding their\n                                      Federal records management responsibilities.\n\n\n\nOMB Circular A-130, Section 8.9.b.4.f states:\n\n8. -- Policy:\n\n        9.      Safeguards. Agencies shall:\n\n                 b. Information Systems and Information Technology Management\n\n                 4.    Use of Information Resources\n\n                       (f)         Establish a level of security for all information systems that is\n                                   commensurate with the risk and magnitude of the harm\n                                   resulting from the loss, misuse, or unauthorized access to or\n                                   modification of the information contained in these information\n                                   systems.\n\n\n\nOMB Circular A-130, Section 8.a(c) states:\n\n8. -- Policy:\n\n        a.       Information Management Policy\n                 (c)    Agencies shall limit the sharing of information that identifies\n                 individuals or contains information to that which is legally authorized, and\n\x0c                 impose appropriate conditions on use where a continuing obligation to\n                 ensure the confidentiality of the information exists.\n\n\n\nAppendix III to OMB Circular No. A-130, Section A.3.b.2.a\n\nA. -- Requirements.\n\n3. -- Automated Information Security Programs.\n\n       b. Controls for Major Applications.\n\n          2)      Application Security Plan.\n\n                 a. Application Rules. Establish a set of rules concerning use of and\n                    behavior within the application.\n\n\n\nAppendix III to OMB Circular No. A-130, Section B.a.2.c\n\nB. -- Descriptive Information.\n\na. General Support Systems.\n\nThe following controls are required in all general support systems:\n\n     2.        Security Plan.\n\n       c. Personnel Controls.\n\nIt has long been recognized that the greatest harm has come from authorized individuals\nengaged in improper activities, whether intentional or accidental. In every general\nsupport system, a number of technical, operational, and management controls are used to\nprevent and detect harm. Such controls include individual accountability, "least\nprivilege," and separation of duties.\n\nSeparation of duties is the practice of dividing the steps in a critical function among\ndifferent individuals. For example, one system programmer can create a critical piece of\noperating system code, while another authorizes its implementation. Such a control\nkeeps a single individual from subverting a critical process.\n\x0cTitle 18 USC 1030\n\nTitle 18 USC Sec. 1030. Fraud and related activity in connection with computers,\nparagraph (a)(3)states:\n\n   \xe2\x80\xa2   (a) Whoever \xe2\x80\x93\n\n(3) intentionally, without authorization to access any nonpublic computer of a department\nor agency of the United States, accesses such a computer of that department or agency\nthat is exclusively for the use of the Government of the United States or, in the case of a\ncomputer not exclusively for such use, is used by or for the Government of the United\nStates and such conduct affects that use by or for the Government of the United States.\n\n        (b) Whoever attempts to commit an offense under subsection (a) of this section\nshall be punished as provided in subsection (c) of this section.\n\x0c'